URL redirects open scareware loophole at major sites

Combine open redirect web pages with search engine optimizations and you get a …

URL redirect notifications are often meant to serve as security measures, but at least one malware blackhat is exploiting these services and redirecting site visitors from the website they think they are about to visit to a spyware-infested haven. That's bad enough on its own, but the as-yet-unknown assailant has also used search engine optimizations to push the polluted redirectors higher in Google's search rankings.

Part of the problem—a significant part—is that many companies/websites use open redirects that will cheerfully redirect incoming traffic to whatever URL they're asked to send it to, even if that traffic didn't originate within the host site. When MySpace or Microsoft inform you that you're about to be redirected off their site, they don't perform any sort of check to see if that's a good place for you to be going.

That lack of security is now turning out to be a problem. According to security researcher Gary Warner, an attacker can first seed infected links across a wide variety of blogs, guestbook entries, forum posts, and false stories. Since the links reference prominent websites that already hold high Google ranks, the false posts themselves are more likely to be presented as initial results.

The malware hook, in this case, is double-baited. By using a popular set of keywords (say, World of Warcraft) and attaching them to an IBM redirect, our spammer has built himself a nifty trap. If all goes well, misdirected search traffic begins to flow into whatever domain the blackhat has devoted to that purpose.

There's a social aspect to the attack as well, though it doesn't technically qualify as phishing. The open redirect pages of large companies or organizations aren't just valuable for their Google rank; they're also trusted locations. In my own example, a user might find it odd that a World of Warcraft link is apparently attached to an IBM website, but hey, it's IBM.

Warner has more details on how the attack functions once you actually hit the offending website, but it's essentially a variation on the scareware tactics we've seen before. The system attempts to convince you that you're *gasp* infected and must install a new antivirus product rightnowthankyouverymuch. I don't personally hold out much hope that the FTC will act swiftly enough to stop this problem from proliferating, but it shouldn't be hard to alter redirects to only accept referrals from verified websites.